1. Field
The present invention lies in the field of database management systems. In particular, invention embodiments relate to controlling data supplied in response to queries by applying access control.
2. Description of the Related Art
Resources, particularly data, need to be protected from unauthorized access. An architecture for implementing this process is called “Access Control”, which is an implementation of the middle “A” in the AAA security protocol (Authentication, Authorization, and Audit). Access control can be broken into several, architecturally independent activities. The key roles in the access control process are described in [RFC 2094]. These concepts are used in the XACML standard to control access to resources, which resources may be stored as, or represented by, individual elements of data within a graph structured database. The following list highlights these roles as used in XACML, which provides a context in which embodiments may be implemented:
Policy administration point (PAP): the system entity that creates a policy or policy set;
Policy decision point (PDP): the system entity that evaluates applicable policy and renders an authorization decision. This term is defined in a joint effort by the IETF Policy Framework Working Group and the Distributed Management Task Force (DMTF)/Common Information Model (CIM) in [RFC3198]. This term corresponds to “Access Decision Function” (ADF) in [ISO10181-3]; Policy enforcement point (PEP): the system entity that performs access control, by making decision requests and enforcing authorization decisions. This term is defined in a joint effort by the IETF Policy Framework Working Group and the Distributed Management Task Force (DMTF)/Common Information Model (CIM) in [RFC3198]. This term corresponds to “Access Enforcement Function” (AEF) in [ISO10181-3]; Policy information point (PIP): the system entity that acts as a source of attribute values.
FIG. 4 illustrates an exemplary data flow in an XACML access control architecture. Steps S1 to S13 represent an ordered flow of information between access control entities. Embodiments of the present invention may be implemented in an XACML context to provide the functionality of the PEP and the PDP.